I'm working up a documentation patch to make this spelled out more explicitly
but I wonder if there isn't more that should be done.
Currently ``Model.full_clean`` is not called automatically when saving a model.
This is not a big deal when manually constructing your models as you can
just do:
m = MyModel(field=foo)
m.full_clean()
m.save()
However there is no easy way to get a similar behavior when using
``MyModel.objects.create``
or ``MyModel.objects.get_or_create``.
The documentation currently mentions that get_or_create is useful in data
import scripts, but
also mentions using it in views. My patches will try to make it more explicit
that it's unsafe
to assume that the constraints in the field (e.g. URLField) will be enforced
but I wonder if
maybe it would make sense to either make running ``full_clean`` the default or
provide a way
for people to specify that it should be ran. It appears that it's not run by
default due to
backwards compatibility: https://code.djangoproject.com/changeset/12103 .
Currently I would assume that both because of the lack of warning in the
documentation, and
because it isn't obvious behavior (e.g. an URLField that accepts unsafe input,
such as
``javascript:alert("xss");``), that more than one Django powered site is
vulnerable to attacks
such as an XSS where they are using ``create`` or ``get_or_create`` manually
without passing
through a form.
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-developers+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
